HashiConf 2024 Now streaming live from Boston! Attend for free
Vault
Vault Home

You are viewing documentation for version v1.4.x. View latest version.

Vault Agent Auto-Auth Kerberos Method

The kerberos agent provides an automated mechanism to retrieve a Vault token for Kerberos entities. It reads in configuration and identification information from the surrounding environment, and uses it to authenticate to Vault.

For more on this auth method, see the Kerberos auth method.

Configuration

  • krb5conf_path is the path to a valid krb5.conf file describing how to communicate with the Kerberos environment.
  • keytab_path is the path to the keytab in which the entry lives for the entity authenticating to Vault. Keytab files should be protected from other users on a shared server using appropriate file permissions.
  • username is the username for the entry within the keytab to use for logging into Kerberos. This username must match a service account in LDAP.
  • service is the service principal name to use in obtaining a service ticket for gaining a SPNEGO token. This service must exist in LDAP.
  • realm is the name of the Kerberos realm. This realm must match the UPNDomain configured on the LDAP connection. This check is case-sensitive.